{ "id": "48492091-9ddd-413c-9648-c20dbb939605", "created_at": "2026-04-06T00:22:09.906168Z", "updated_at": "2026-04-10T13:11:34.47308Z", "deleted_at": null, "sha1_hash": "fc09bd3b1573965fb7bf428272305318477bc581", "title": "Token Manipulation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1508511, "plain_text": "Token Manipulation\r\nPublished: 2017-04-03 · Archived: 2026-04-05 16:19:23 UTC\r\nIt is known that running a windows service as local system it is a bad security practice as if this service is\r\ncompromised in any way it would give the same level of privileges to an attacker as well. However it is also\r\npossible to escalate privileges from a service that is not running as SYSTEM but as a network service as well.\r\nFrom Service Account to System\r\nThere are many occasions in penetration testing engagements that the penetration tester has managed to\r\ncompromise a service like Apache, IIS, SQL, MySQL etc. but unfortunately this service is not running as local\r\nsystem or under a high privileged account but as network service.\r\nApache Service running as Network Service\r\nThe list of available tokens via Meterpeter in this case is limited only to the Network Service as the Apache is\r\nrunning under this account.\r\nhttps://pentestlab.blog/2017/04/03/token-manipulation/\r\nPage 1 of 5\n\nMeterpreter – Available Tokens\r\nHowever there is a technique which can be used that tries to trick the “NT Authority\\System” account to\r\nnegotiate and authenticate via NTLM locally so the token for the “NT Authority\\System” account would become\r\navailable and therefore privilege escalation possible. This technique is called Rotten Potato and it was introduced\r\nin DerbyCon 2016 by Stephen Breen and Chris Mallz.\r\nPrivilege Escalation – Rotten Potato\r\nService Running as Administrator\r\nAlternatively if the service is running as high privileged user like administrator or if the service allows users to\r\nconnect via Windows authentication (i.e. SQL Server allows that) then it is possible to escalate privilege by\r\nimpersonating the token of the administrator account.\r\nhttps://pentestlab.blog/2017/04/03/token-manipulation/\r\nPage 2 of 5\n\nApache Service Running as Administrator\r\nThis can be done through the Metasploit Framework incognito extension or directly through MWR Infosecurity\r\ntool incognito.\r\nMetasploit – Token Impersonation\r\nhttps://pentestlab.blog/2017/04/03/token-manipulation/\r\nPage 3 of 5\n\nIncognito – Listing the available tokens\r\nPowerSploit\r\nManipulation of system tokens can be done also through PowerSploit as Joseph Bialek inspired by the tool\r\nincognito wrote a PowerShell script which can perform the same activities.\r\nhttps://pentestlab.blog/2017/04/03/token-manipulation/\r\nPage 4 of 5\n\nPowerSploit -Token Enumeration\r\nPowerSploit – Token Manipulation\r\nReferences\r\nRotten Potato – Privilege Escalation from Service Accounts to SYSTEM\r\nhttps://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/\r\nhttps://labs.mwrinfosecurity.com/blog/incognito-v2-0-released/\r\nhttps://www.trustedsec.com/january-2015/account-hunting-invoke-tokenmanipulation/\r\nPost navigation\r\nSource: https://pentestlab.blog/2017/04/03/token-manipulation/\r\nhttps://pentestlab.blog/2017/04/03/token-manipulation/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://pentestlab.blog/2017/04/03/token-manipulation/" ], "report_names": [ "token-manipulation" ], "threat_actors": [], "ts_created_at": 1775434929, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fc09bd3b1573965fb7bf428272305318477bc581.pdf", "text": "https://archive.orkl.eu/fc09bd3b1573965fb7bf428272305318477bc581.txt", "img": "https://archive.orkl.eu/fc09bd3b1573965fb7bf428272305318477bc581.jpg" } }